Tuesday, November 18, 2008

Security Metrics Quick and Easy Compliance Contact

I just got off the phone with http://securitymetrics.com and talked to a specific guy by the name of Mike Decker. Mike told me that he'd be happy to help any of you become PCI compliant. I can't believe how easy this was! He was incredibly gracious with my lack of understanding this whole thing. Matter of fact, all I did was give him my 5 IP addresses that Mark Rudolph sent me via e-mail and ran the scan right there. He told me that I was compliant as long as I answered the 11 questions (which were easy)...

PLEASE CALL YOUR MERCHANT SERVICE FIRST IN REGARDS TO PCI COMPLIANCE. If required, contact Mike Decker below...

Here is Mike Decker's contact information:
Mike Decker
Security Metrics
801-995-6329
He told me that he usually is able to get to your phone call within 5-10 minutes. He said if you can't get in touch with him, just call this number 1-801-705-5665 and they'll make sure you are taken care of.

NEW PERSON THAT TOOK OVER MIKE DECKER'S JOB

Mike Decker is no longer at Security Metrics. New contact:


Jonathan Clark

Compliance Consultant

jonc@securitymetrics.com

Office 801-995-6368

Tech 801-705-5700

Fax 801-724-9700

www.securitymetrics.com





Sincerely,
Mike Weiland
http://readydvd.com

11 comments:

NewDVDnow said...

Hello, this is Tracy, a new "blogger"! Thanks for all the information on this page - it is great!! I was wondering if you do this PCI compliance, does that mean you don't have to pay the fee now or get reimbursed?? Thanks again, Tracy

Mike at ReadyDVD said...

I am going to work on getting back a complete reimbursement. I'll let you know what happens. I uderstand there were a few of you that already got $50 back.

DVDNow CHicagoland (Tom) said...

Hi Mike,

What was the fee for Security Metrics?

Mike at ReadyDVD said...

I was charged $139.95 from First Data for the non compliance thing. With Securitymetrics, I didn't have to pay anything. Now, I am going to send the proof that I am compliant and I'm hoping they waive the charge and return my money.

Mike Weiland
http://readydvd.com

Joe Fusco said...

I was not charged this fee. Is it because I'm new, started last month? Maybe it will come?

Mike at ReadyDVD said...

I am now and have been PCI compliant. They gave me $50 back and that's about it. Securitymetrics was great.

Sincerely,
Mike Weiland
http://readydvd.com

Unknown said...

What is PCI compliance?

Mike at ReadyDVD said...

The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card. All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.

There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant.

Maintain a secure network

This standard refers to the actual network that cardholder data is exposed to. In the case of an online business, the most obvious vulnerability for this standard is the web server. Luckily, most hosting companies take responsibility for ensuring the security of their networks. However, there is more to this standard than meets the eye. Do you keep cardholder data (even just names) on a laptop that you use on public networks? Does your office network have a firewall installed and reasonable security measures in place?

In short, whenever any personal information about a cardholder is stored on a computer (which is also connected to a network), that computer is behind a firewall and all reasonable measures have been taken to protect that particular network.

Protect Cardholder Data

This category focuses on how cardholder data is stored and transmitted. Business owners that choose to store cardholder information have an obligation to protect that data. Protecting information means that not everyone can access that it. Businesses that store actual credit card numbers will often store them as encrypted data, so that even if someone got access to the database they still could not decipher the information in it.

Ecommerce businesses need to be especially critical of the way that cardholder data is transmitted. When a customer makes a purchase on a website, his/her cardholder information is sent across the Internet. During that transmission, cardholder data must be encrypted with at least a 128 bit SSL certificate in order to meet this standard.

Maintain a Vulnerability
Management Program

This one is relatively simple, and translates to keeping up to date with your systems. Vulnerability exposure can be minimized by regularly updating computer hardware, operating systems and software. Keeping up to date anti-virus software, as well as running regular virus scans, is another requirement to meet this standard if your systems are susceptible to such vulnerabilities.

Implement Strong Access Control Measures

The most exploited breach in security is the human element, which is harder to protect. Part of meeting PCI compliance means limiting access to cardholder data to only those persons that need to use it. In addition to restricting physical access to cardholder information, business owners are also responsible for assigning a unique identification to each person that does have access.

Regularly Monitor and Test Networks
Networks that store cardholder data be monitored and tested regularly. Regular scans of security measures and processes, monitoring and tracking of network access to cardholder data are required to satisfy this standard. Consider signing up for a security testing and auditing service, such as ScanAlert's Hacker Safe program, which can help you to identify and fix potential security problems as they arise.

Maintain an Information Security Policy

Considering that humans are generally the easiest part of a system to hack, and also that ignorance does not relieve liability, it's important to draft and implement a company-wide information security policy. Make sure that your employees know and understand their responsibilities with regards to cardholder data before it becomes an issue.

The first step in PCI compliance is to meet the above standards. Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated. Next month, we’ll take a look at the four validation ratings, and what each rating means to a company.

I found this at http://www.practicalecommerce.com

DVDNow CHicagoland (Tom) said...

Do I remember reading that there was NO fee for Securitymetrics? I called them and they want $200 to certify two kiosks.

Mike at ReadyDVD said...

I paid First Data $139.95 and they gave me $50 back after I complained about the fee. Security Metrics didn't charge me anything. I told them that I was with Roy at First Data and that I was trying to get this done because Roy told me to use Security Metrics. Mike Decker ran me through the process and it didn't cost me anything. I am not sure if First Data pays Security metrics for doing this for us. Ask Mike Decker about it. This is what happened to me. I am with Roy and First Data here locally in Billings. I am not sure if that matters, but this is what happened with me. Feel free to call Roy Neese. His info. is on the left hand side of this blog. Or, just ask Mike Decker about it. He told me that he needs to know who you are with and what you have going on. I am sure there is red tape somewhere with all of these companies.

Sincerely,

Mike Weiland
http://readydvd.com

IMMIKED said...

Hi,

This is Mike from Security Metrics. I have been handling many of your PCI Compliance accounts and I thank you all individually for your patients as we have worked though each problem as they have arrived. As all of us hope to do, I am moving up in the world. I will only be able to help you and your PCI compliance until April 15. Please contact me by Wed. at noon MST so we can get this taken care of. My personal line at work is 801 995 6329. Please have all of your kiosk's public Ip address accessible at the time that you call me. If it will be difficult to contact me by phone please feel free to email me at michaeldecker@securitymetrics.com. We will go over very briefly some basic information and what needs to happen so I can verify that you are compliant. Just a reminder that Visa and Master Card are requiring so please get back to me as soon as possible.

Thank you for your time

Mike Decker
Security Metrics
801 995 6329
michaeldecker@securitymetrics.com